diff options
Diffstat (limited to 'results/classifier/118/device/782')
| -rw-r--r-- | results/classifier/118/device/782 | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/results/classifier/118/device/782 b/results/classifier/118/device/782 new file mode 100644 index 00000000..c5a7675c --- /dev/null +++ b/results/classifier/118/device/782 @@ -0,0 +1,35 @@ +device: 0.858 +vnc: 0.750 +network: 0.682 +graphic: 0.585 +VMM: 0.527 +i386: 0.475 +semantic: 0.454 +files: 0.398 +PID: 0.351 +register: 0.333 +socket: 0.328 +boot: 0.304 +TCG: 0.303 +ppc: 0.286 +x86: 0.263 +architecture: 0.260 +risc-v: 0.249 +virtual: 0.224 +mistranslation: 0.213 +arm: 0.211 +hypervisor: 0.204 +kernel: 0.168 +permissions: 0.144 +debug: 0.121 +performance: 0.087 +KVM: 0.076 +user-level: 0.076 +peripherals: 0.072 +assembly: 0.051 + +nvme: DMA reentrancy issue leads to use-after-free (CVE-2021-3929) +Description of problem: +A DMA reentrancy issue was found in the NVM Express Controller (NVMe) emulation. Functions dma_buf_write() or dma_buf_read() in hw/nvme/ctrl.c:nvme_tx() can be called without checking if the destination region overlaps with device's MMIO. This is similar to CVE-2021-3750 (https://gitlab.com/qemu-project/qemu/-/issues/541) and, just like it, when the reentrancy write triggers the reset function nvme_ctrl_reset(), data structs will be freed leading to a use-after-free issue. A malicious guest could use this flaw to crash the QEMU process on the host, resulting in a denial of service condition or, potentially, executing arbitrary code within the context of the QEMU process on the host. + +This issue was reported by Qiuhao Li. |